[Bug 1452115] Re: Python interpreter binary is not compiled as PIE
Paolo Pettinato
1452115 at bugs.launchpad.net
Tue Oct 16 10:34:45 UTC 2018
I do believe pie is explicitly disabled when building Python 3.6. Using
hardening-check on Ubuntu Bionic (from the devscripts package):
$ hardening-check /usr/bin/python3
/usr/bin/python3:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
Also from debian/rules in
http://archive.ubuntu.com/ubuntu/pool/main/p/python3.6/python3.6_3.6.5-3.debian.tar.xz:
export DEB_BUILD_MAINT_OPTIONS=hardening=-pie
According to http://manpages.ubuntu.com/manpages/bionic/man1/dpkg-
buildflags.1.html this syntax disables pie - it should be "+pie", and is
enabled by default on Bionic:
$ dpkg-buildflags --status
dpkg-buildflags: status: vendor is Ubuntu
dpkg-buildflags: status: future features: lfs=no
dpkg-buildflags: status: hardening features: bindnow=no format=yes fortify=yes pie=yes relro=yes stackprotector=yes stackprotectorstrong=yes
dpkg-buildflags: status: qa features: bug=no canary=no
dpkg-buildflags: status: reproducible features: fixdebugpath=yes timeless=yes
dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no
...
with the environment variable set:
$ DEB_BUILD_MAINT_OPTIONS=hardening=-pie dpkg-buildflags --status
dpkg-buildflags: status: environment variable DEB_BUILD_MAINT_OPTIONS=hardening=-pie
dpkg-buildflags: status: vendor is Ubuntu
dpkg-buildflags: status: future features: lfs=no
dpkg-buildflags: status: hardening features: bindnow=no format=yes fortify=yes pie=no relro=yes stackprotector=yes stackprotectorstrong=yes
dpkg-buildflags: status: qa features: bug=no canary=no
dpkg-buildflags: status: reproducible features: fixdebugpath=yes timeless=yes
dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no
...
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.4 in Ubuntu.
https://bugs.launchpad.net/bugs/1452115
Title:
Python interpreter binary is not compiled as PIE
Status in python2.7 package in Ubuntu:
Fix Released
Status in python3.4 package in Ubuntu:
Fix Released
Bug description:
The python2.7 binary (installed at /usr/bin/python2.7; package version
2.7.6-8) is not compiled as a position independent executable (PIE).
It appears that the python compilation process is somewhat arcane and
the hardening wrapper probably doesn't do the trick for it.
This is incredibly dangerous as it means that any vulnerability within
a native module (e.g. ctypes-based), or within python itself will
expose an incredibly large amount of known memory contents at known
addresses (including a large number of dangerous instruction
groupings). This enables ROP-based (https://en.wikipedia.org/wiki
/Return-oriented_programming) to abuse the interpreter itself to
bypass non-executable page protections.
I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at:
- https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367
I'm not exactly familiar enough with the python build process to say
where exactly an -fPIE needs to be injected into a script/makefile,
but I feel that given the perceived general preference for ctypes-
based modules over python written ones, as the native code
implementations tend to be more performant, this feels like a large
security hole within the system. Given the nature of this "issue," I'm
not 100% sure of where it is best reported, but from what I can tell,
this conflicts with the Ubuntu hardening features and is definitely
exploitable should a native module contain a sufficiently exploitable
vulnerability that allows for control of the instruction register.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1452115/+subscriptions
More information about the foundations-bugs
mailing list